[redhat-lspp] Labeled IPsec localhost problems

Paul Moore paul.moore at hp.com
Tue Jan 30 22:43:14 UTC 2007 

As discussed in the LSPP conference call this week, it appears that when using 
IPsec over localhost (I suspect you will see this behavior whenever the IPsec 
selector for two SAs are the same) only a single SA is used, i.e. the 
directionality of the SA is not preserved.  During the call I mentioned that 
I was slightly concerned about this being a problem but at the time the only 
thing I could think of was the AH/ESP sequence number.

While thinking about it a bit more today I believe there is another, more 
serious concern; I'm hoping the labeled IPsec experts here could help 
validate or disprove this ...

When using labeled IPsec the packet's are said to be implicitly labeled based 
on the label assigned to the SA when it is created.  In practice, the SAs are 
assigned labels based on the security context of the socket which triggers 
the SPD rule requiring the use of IPsec (this glosses over some things, I 
know, but I believe it captures the basic concept).  Since SAs are intended 
to be unidirectional, for each bidirectional communication channel two SAs 
are created.  In the traditional client-server model this means that for any 
given communication channel between the two domain the client->server SA will 
be labeled with label "A" and the server->client SA will be labeled with 
label "B".  Normally this works fine, however, when the two SAs have the same 
IPsec selector then the kernel gets confused and picks the same SA for each 
direction.  The network traffic then gets labeled incorrectly in one of the 
two directions.

I know TCS did some work to at least partially (maybe fully?) integrate the 
label into the IPsec selector so this may not be an issue, but I know Joy/IBM 
mentioned seeing the same behavior during her labeled IPsec tests so I 
suspect this is in fact a problem.  Unfortunately I don't have anything setup 
to quickly test this so I thought I would send it out to list in hopes that 
someone else had already thought of this problem and (hopefully) solved it.

Anyone?

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list